pki --issue - Issue a certificate using a CA certificate and key

       This sub-command of pki(1) is used to issue a certificate using a CA certificate and private key.

       To save repetitive typing, command line options can be stored in files.  Lets assume pki.opt contains the
       following contents:

         --cacert ca_cert.der --cakey ca_key.der --digest sha256
         --flag serverAuth --lifetime 1460 --type pkcs10

       Then  the  following  command  can  be  used  to issue a certificate based on a given PKCS#10 certificate
       request and the options above:

         pki --issue --options pki.opt --in req.der > cert.der

       pki --issue - Issue a certificate using a CA certificate and key

-h,--help
              Print usage information with a summary of the available options.

       -v,--debuglevel
              Set debug level, default: 1.

       -+,--optionsfile
              Read command line options from file.

       -i,--infile
              Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from
              STDIN.

       -t,--typetype
              Type  of  the  input.  One  of  pub (public key), priv (private key), rsa (RSA private key), ecdsa
              (ECDSA private key), ed25519 (Ed25519 private  key),  ed448  (Ed448  private  key),  bliss  (BLISS
              private key) or pkcs10 (PKCS#10 certificate request), defaults to pub.

       -k,--cakeyfile
              CA private key file. Either this or --cakeyid is required.

       -x,--cakeyidhex
              Smartcard  or  TPM  CA  private key object handle in hex format with an optional 0x prefix. Either
              this or --cakey is required.

       -c,--cacertfile
              CA certificate file. Required.

       -d,--dnsubject-dn
              Subject distinguished name (DN) of the issued certificate.

       -a,--sansubjectAltName
              subjectAltName extension to include in certificate. Can be used multiple times.

       -l,--lifetimedays
              Days the certificate is valid, default: 1095. Ignored if both an absolute start and end  time  are
              given.

       -F,--not-beforedatetime
              Absolute  time  when the validity of the certificate begins. The datetime format is defined by the
              --dateform option.

       -T,--not-afterdatetime
              Absolute time when the validity of the certificate ends. The datetime format  is  defined  by  the
              --dateform option.

       -D,--dateformformstrptime(3) format for the --not-before and --not-after options, default: %d.%m.%y%T-s,--serialhex
              Serial number in hex. It is randomly allocated by default.

       -e,--flagflag
              Add   extendedKeyUsage   flag.   One   of   serverAuth,   clientAuth,   crlSign,   ocspSigning  or
              msSmartcardLogon. Can be used multiple times. Without modifiers, this overrides flags from PKCS#10
              certificate requests. Prefixing a flag with + adds it to the set of flags read from  the  request,
              prefixing it with - removes it from that set.

       -g,--digestdigest
              Digest  to  use  for signature creation. One of md5, sha1, sha224, sha256, sha384, or sha512.  The
              default is determined based on the type and size of the signature key.

       -R,--rsa-paddingpadding
              Padding to use for RSA signatures. Either pkcs1 or pss, defaults to pkcs1.

       -f,--outformencoding
              Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults  to
              der.

       -b,--ca
              Include CA basicConstraint extension in certificate.

       -u,--crluri
              CRL distribution point URI to include in certificate. Can be used multiple times.

       -I,--crlissuerissuer
              Optional CRL issuer for the CRL at the preceding distribution point.

       -o,--ocspuri
              OCSP AuthorityInfoAccess URI to include in certificate. Can be used multiple times.

       -p,--pathlenlen
              Set path length constraint.

       -B,--addrblockblock
              RFC  3779  address  block  to  include  in  certificate.  block  is  either a CIDR subnet (such as
              10.0.0.0/8) or an arbitrary address range (192.168.1.7-192.168.1.13). Can be repeated  to  include
              multiple  blocks.   Please note that the supplied blocks are included in the certificate as is, so
              for standards compliance, multiple blocks must be supplied in correct order  and  adjacent  blocks
              must be combined. Refer to RFC 3779 for details.

       -n,--nc-permittedname
              Add  permitted NameConstraint extension to certificate. For DNS or email constraints, the identity
              type is not always detectable by the given name.  Use  the  dns:  or  email:  prefix  to  force  a
              constraint type.

       -N,--nc-excludedname
              Add  excluded  NameConstraint extension to certificate. For DNS or email constraints, the identity
              type is not always detectable by the given name.  Use  the  dns:  or  email:  prefix  to  force  a
              constraint type.

       -X,--criticaloid
              Add a critical extension with the given OID.

       -M,--policy-mappingissuer-oid:subject-oid
              Add policyMapping from issuer to subject OID.

       -E,--policy-explicitlen
              Add requireExplicitPolicy constraint.

       -H,--policy-inhibitlen
              Add inhibitPolicyMapping constraint.

       -A,--policy-anylen
              Add inhibitAnyPolicy constraint.

   CertificatePolicy
       Multiple certificatePolicy extensions can be added. Each with the following information:

       -P,--cert-policyoid
              OID to include in certificatePolicy extension. Required.

       -C,--cps-uriuri
              Certification Practice statement URI for certificatePolicy.

       -U,--user-noticetext
              User notice for certificatePolicy.

pki(1)

5.9.13                                             2019-05-06                                     PKI--ISSUE(1)

pki--issue [--infile] [--typetype] --cakeyfile|--cakeyidhex--cacertfile [--dnsubject-dn]
                   [--sansubjectAltName] [--lifetimedays] [--not-beforedatetime] [--not-afterdatetime]
                   [--serialhex] [--flagflag] [--digestdigest] [--rsa-paddingpadding] [--ca]
                   [--crluri [--crlissuerissuer]] [--ocspuri] [--pathlenlen] [--addrblockblock] [--nc-permittedname] [--nc-excludedname] [--criticaloid] [--policy-mappingmapping]
                   [--policy-explicitlen] [--policy-inhibitlen] [--policy-anylen]
                   [--cert-policyoid [--cps-uriuri] [--user-noticetext]] [--outformencoding] [--debuglevel]

       pki--issue--optionsfilepki--issue-h | --help